b'OFFICE OF INSPECTOR GENERAL\n              Audit Report\nAudit of Internal Controls over Medicare Premium\nTransfers Between the Railroad Retirement Board\n and Centers for Medicare and Medicaid Services\n\n\n               Report No. 10-09\n                May 21, 2010\n\n\n\n\n  RAILROAD RETIREMENT BOARD\n\x0c                                          TABLE OF CONTENTS\n\nINTRODUCTION .................................................................................................. 1\n   Background ....................................................................................................... 1\n   Objectives ......................................................................................................... 2\n   Scope ................................................................................................................ 2\n   Methodology ...................................................................................................... 2\n\nRESULTS OF AUDIT ........................................................................................... 4\n   Completeness of Transfers ............................................................................... 4\n      Recommendations ......................................................................................... 5\n      Management\xe2\x80\x99s Response .............................................................................. 5\n   Accuracy of Funds Transfer Requests is Not Ensured ...................................... 5\n      Recommendations ......................................................................................... 6\n      Management\xe2\x80\x99s Response .............................................................................. 6\n   Timeliness of Transfer Requests Needs Improvement...................................... 6\n      Recommendation........................................................................................... 8\n      Management\xe2\x80\x99s Response .............................................................................. 8\n   Segregation of Duties ........................................................................................ 8\n      Recommendation........................................................................................... 8\n   Unauthorized Individuals Prepare and Certify Funds Transfer Requests .......... 9\n      Recommendation........................................................................................... 9\n      Management\xe2\x80\x99s Response .............................................................................. 9\n   Corrective Actions for Excess Medicare Premiums Payments and Medicare\n   Premium Refunds............................................................................................ 10\n      Recommendations ....................................................................................... 11\n      Management\xe2\x80\x99s Response ............................................................................ 11\n   Documented Internal Controls ......................................................................... 12\n      Recommendations ....................................................................................... 13\n      Management\xe2\x80\x99s Response ............................................................................ 13\n\nATTACHMENT 1 ................................................................................................ 14\n   Office of Programs\xe2\x80\x99 Management Response ................................................... 14\n\n\n\n\n                                                               i\n\x0c                                 INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of\nthe internal controls for Medicare premium transfers between the Railroad\nRetirement Board (RRB) and the Centers for Medicare and Medicaid Services\n(CMS).\n\nBackground\n\nThe RRB is an independent agency in the executive branch of the Federal\ngovernment. The RRB administers retirement and survivor benefit programs for\nrailroad workers and their families that provide income protection for aged and\ndisabled annuitants. RRB annuitants receive monthly benefit payments and the\nRRB has authority to determine which RRB annuitants meet eligibility\nrequirements for Medicare. Medicare premium amounts are established by law\nand the RRB withholds Medicare Part B premiums from the annuitant\xe2\x80\x99s monthly\nbenefit payment. The RRB periodically transfers the premiums that were\nwithheld to CMS. 1 Likewise, CMS reimburses the RRB when retroactive\nMedicare premium adjustments occur and when excessive premiums may have\nbeen transferred. The RRB Medicare premium withholdings for fiscal years 2009\nand 2008 totaled $488 million and $490 million, respectively.\n\nThe Office of Programs administers various aspects of the Medicare program.\nWithin the Office of Programs, the Programs Support Division is responsible for\nrequesting Medicare premium transfers between the Railroad Retirement Act\n(RRA) trust funds and the Medicare account. The RRB uses Standard Form\n1081, Voucher and Schedule of Withdrawals and Credits, to record the funds\ntransfer requests (transfer requests). The Bureau of Fiscal Operations (BFO) is\nresponsible for executing the transfer of funds based on documentation provided\nby the Office of Programs.\n\nThe RRB established a process which requires the periodic test of internal\ncontrols by the organizational units responsible for day-to-day operations. During\na test of internal controls in December 2008, the Office of Programs was unable\nensure that the RRB was reimbursed by CMS for retroactive Medicare premium\nadjustments for funds previously issued from RRA trust funds. The Office of\nPrograms found that the RRB had not requested reimbursement from CMS for\nthese refunds for many years. The Office of Programs found that excessive\nfunds were transferred to CMS due to overlapping Medicare premium totals\nbeing reported from two separate sources. As a result of these inaccurate or\nmissing premium transfers, the RRB received approximately $24 million for the\nperiod June 1995 through July 2009. The Office of Programs developed new\nprocedures and implemented new controls to address these issues.\n\n1\n    \xc2\xa042\xc2\xa0USC\xc2\xa0\xc2\xa7\xc2\xa01395s\xc2\xa0(b)\xc2\xa0\n\n\n                                         1\n\x0cThis audit was undertaken as a result of the internal control issues identified by\nthe Office of Programs during their review of Medicare premium transfers.\nAccording to the \xe2\x80\x9cStandards of Internal Control in the Federal Government\xe2\x80\x9d,\ninternal control is an integral component of an organization\xe2\x80\x99s management that\nprovides reasonable assurance that the following objectives are being achieved:\neffectiveness and efficiency of operations, reliability of financial reporting, and\ncompliance with applicable laws and regulations. Internal control is a major part\nof managing an organization. It comprises plans, methods, and procedures used\nto meet missions, goals, objectives and, in doing so, supports performance-\nbased management. Internal control also serves as the first line of defense in\nsafeguarding assets and preventing and detecting errors and fraud. 2 This audit\naddresses the RRB\xe2\x80\x99s strategic objective to ensure the effectiveness and\nefficiency of operations.\n\nObjectives\n\nThe audit objectives were to:\n\n       \xe2\x80\xa2   determine if internal controls were properly designed and placed in\n           operation to ensure the accuracy, timeliness and completeness of\n           Medicare premium fund transfers between the RRB and CMS; and\n       \xe2\x80\xa2   determine the completeness of the controls used to identify and correct\n           the Medicare refunds and excessive premium payments.\n\nScope\n\nOur scope was limited to the internal controls for:\n\n       \xe2\x80\xa2   Medicare premium transfers for the period October 2009 through\n           December 2009; and\n       \xe2\x80\xa2   the process used by the Office of Programs during calendar year 2009 for\n           Medicare refunds from CMS to the RRB and excessive premium funds\n           transfers from the RRB to CMS.\n\nMethodology\n\nTo accomplish the audit objectives, we:\n\n       \xe2\x80\xa2   interviewed RRB staff;\n       \xe2\x80\xa2   reviewed applicable laws, regulations and agency procedures,\n       \xe2\x80\xa2   gained an understanding of internal controls,\n       \xe2\x80\xa2   tested internal controls for proper design and placement in operation,\n\n\n2\n    \xc2\xa0\xe2\x80\x9cStandards\xc2\xa0for\xc2\xa0Internal\xc2\xa0Control\xc2\xa0in\xc2\xa0the\xc2\xa0Federal\xc2\xa0Government,\xe2\x80\x9d\xc2\xa0GAO/AIMD\xc2\xa000\xe2\x80\x9021.3.1\xc2\xa0(11/99)\xc2\xa0page\xc2\xa04.\xc2\xa0\n\n\n                                                      2\n\x0c   \xe2\x80\xa2   reviewed supporting documentation for Medicare premium fund transfers\n       and\n   \xe2\x80\xa2   tested internal controls for proper design and placement in operation,\n       including the review of the accuracy, timeliness and completeness of\n       transfers made between the RRB and CMS.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives. Fieldwork was\nconducted from December 2009 through April 2010 at RRB headquarters in\nChicago, Illinois.\n\n\n\n\n                                        3\n\x0c                                     RESULTS OF AUDIT\n\nOur review determined that the Office of Programs\xe2\x80\x99 internal controls over\nMedicare premium transfers:\n\n    \xe2\x80\xa2   are not properly designed or placed in operation to ensure the accuracy,\n        timeliness and completeness of Medicare premium fund transfers between\n        the RRB and CMS, and\n    \xe2\x80\xa2   were not properly designed to ensure the completeness of the\n        identification and correction of the Medicare refunds and the excessive\n        premium payments.\n\nThe details of our findings and recommendations for corrective action follow.\n\nCompleteness of Transfers\n\nThe Office of Programs has no assurance that all of their transfer request forms\nare received and executed by BFO.\n\nA variety of control activities are used in information processing. Examples\ninclude edit checks of data entered, accounting for transactions in numerical\nsequences, comparing file totals with control accounts, and controlling access to\ndata, files, and programs. Control activities help to ensure that all transactions\nare completely and accurately recorded. 3\n\nThroughout the three-month test period 235 separate transfer requests were\nprepared by the Programs Support Division. The Programs Support Division\ndelivers the transfer requests to a BFO incoming tray, from which BFO staff\nretrieves the documents, executes the transfer requests and posts the\ntransactions in the RRB\xe2\x80\x99s financial records. BFO obtains and documents\nconfirmation of the transaction in their records. However, the Programs Support\nDivision does not obtain a copy of the confirmation because it is not required by\nagency procedures. We also found that there is no sequential numbering system\nfor the individual transfer requests and batch totals are not used during\nprocessing.\n\nOur tests of transactions disclosed one transfer request that had been prepared\nby the Programs Support Division but the actual funds transfer had not been\nexecuted by BFO staff. The Office of Programs was unaware of this unexecuted\ntransfer because they do not secure confirmations for these transactions. Other\nunexecuted funds transfers could exist.\n\n3\n \xc2\xa0\xe2\x80\x9cStandards\xc2\xa0for\xc2\xa0Internal\xc2\xa0Control\xc2\xa0in\xc2\xa0the\xc2\xa0Federal\xc2\xa0Government,\xe2\x80\x9d\xc2\xa0GAO/AIMD\xc2\xa000\xe2\x80\x9021.3.1\xc2\xa0(11/99)\xc2\xa0pages\xc2\xa013,\xc2\xa014\xc2\xa0\nand\xc2\xa015.\xc2\xa0\n\n\n                                                  4\n\x0cRecommendations:\n\nWe recommend that the Office of Programs:\n\n   1. develop and implement controls to ensure the completeness of the\n      transfer requests delivered to BFO, and\n   2. strengthen internal controls to ensure that funds transfer confirmations are\n      reconciled to the transfer requests.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendations and has agreed to\ndevelop and implement the recommended controls. The Office of Programs has\nalso agreed to strengthen controls to ensure that funds transfer confirmations are\nreconciled to the transfer requests. The full text of management\xe2\x80\x99s response is\nprovided as Attachment 1.\n\n\nAccuracy of Funds Transfer Requests is Not Ensured\n\nInternal controls do not ensure the accuracy of the transfer requests or provide\ncertainty that the transfer requests are always prepared.\n\nDocumented agency procedure provides specific instructions for the preparation\nof the transfer request forms, such as the basis for the creation of the voucher\nnumber and computation of the amounts to be recorded on the request forms.\n\nOur tests disclosed many inaccuracies in the funds transfer requests which\ntotaled more than $3.2 million from the period October 2009 through December\n2009. For example, we found that:\n\n   \xe2\x80\xa2   agency procedure is not always followed and errors are not always\n       detected during the review and approval process,\n   \xe2\x80\xa2   agency procedures does not always require a complete set of supporting\n       documentation to be maintained for, and attached to, each transfer\n       request,\n   \xe2\x80\xa2   some essential source documents are not always used when required,\n   \xe2\x80\xa2   some transfer requests could not be validated because the primary\n       support for the transfer requests was not maintained in its entirety and\n       could not be reproduced,\n   \xe2\x80\xa2   many of the transfer requests contained an inaccurate manually created\n       voucher number, which impacts the ability to trace a recorded funds\n       transfer to the originating transfer request, and\n\n\n                                        5\n\x0c   \xe2\x80\xa2   one transfer request submitted to and processed by BFO did not contain\n       the signature of the certifying officer.\n\nAdditional inaccuracies could exist as a result of these internal control\ndeficiencies.\n\nRecommendations:\n\nWe recommend that the Office of Programs:\n\n   3. strengthen internal controls to ensure that agency procedure is followed\n      for the preparation of the funds transfer request forms,\n   4. revise agency procedures to require that source documents be attached\n      and maintained as supporting documentation for the funds transfer\n      requests,\n   5. strengthen the review process to ensure the accuracy of the preparation of\n      the funds transfer request forms,\n   6. lengthen the required retention period for essential supporting reports, and\n   7. take corrective action for the noted error cases.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with Recommendations Nos. 3, 5, 6, and 7.\nSpecifically, the Office of Programs has agreed to:\n\n   \xe2\x80\xa2   strengthen controls to ensure that agency procedure is followed in the\n       preparation of the funds transfer request forms,\n   \xe2\x80\xa2   strengthen the review process to better ensure the accuracy of funds\n       transfer requests,\n   \xe2\x80\xa2   review applicable records retention schedules and determine what\n       additional action may be necessary to ensure that essential supporting\n       records are retained for an appropriate period; and\n   \xe2\x80\xa2   finalize the correction process.\n\nThe Office of Programs has also agreed with Recommendation No. 4 and plans\nto revise procedures to require that source documents be maintained to support\ncertification of the transfer request. The full text of management\xe2\x80\x99s response is\nprovided as Attachment 1.\n\n\nTimeliness of Transfer Requests Needs Improvement\n\nMedicare premium transfer requests are generally not processed within\nacceptable timeframes. In the absence of agency timeliness standards, we\n\n                                          6\n\x0cconsidered a transfer request timely, based on the type of transaction, if it was\nprepared within the following time standards:\n\nTransfer Requests Resulting from the Automated Medicare Adjustment Program\n\nThis type of refund is due from CMS after a refund check has been issued to the\nannuitant from the RRB on the first day of the month. We considered a refund\ntimely if the transfer request was prepared by the second business day of the\nmonth. We found that 62% of these transfer requests were not prepared within\nthis time standard. The transfer requests were prepared as much as two weeks\nafter the RRB issued the refund check.\n\nTransfer Requests Resulting from Manually Issued Refunds and Returned\nPayments\n\nThese types of Medicare premium transfers result from manually issued refunds\nand returned payments. Since these transactions had already occurred, we\napplied a one-day standard for the transfer requests prepared based on system\ngenerated reports. We found 17% of the transfer requests were not prepared\nwithin this time standard. The transfer requests related to manually issued\nrefunds were processed as much as four days late and the returned payment\nitems were processed as much as two months late.\n\nTransfer Requests Resulting from Non-Entitlement\n\nOther transfer requests are based on the receipt of an additional transfer request\nform that is associated with a particular annuitant. These additional transfer\nrequest forms are manually prepared by and received from the Survivor Benefits\nDivision within the Office of Programs. We considered these manually prepared\nrequests timely if they were prepared within five business days. We found that\n59% of these transfer requests were prepared as much as 60 days after\nentitlement ended.\n\nTransactions should be promptly recorded to maintain their relevance and value\nto management in controlling operations and making decisions. This applies to\nthe entire process or life cycle of a transaction or event from the initiation and\nauthorization through its final classification in summary records. 4\n\nDelays could result in all of the necessary transfer requests not being prepared,\nwhich could impact agency trust funds. Delays could also impact the timeliness\nof recording financial transactions.\n\n\n\n\n4\n    \xc2\xa0\xe2\x80\x9cStandards\xc2\xa0for\xc2\xa0Internal\xc2\xa0Control\xc2\xa0in\xc2\xa0the\xc2\xa0Federal\xc2\xa0Government,\xe2\x80\x9d\xc2\xa0GAO/AIMD\xe2\x80\x9000\xe2\x80\x9021.3.1\xc2\xa0(11/99)\xc2\xa0page\xc2\xa015.\xc2\xa0\n\n\n                                                     7\n\x0cRecommendation:\n\nWe recommend that the Office of Programs:\n\n       8. establish a timeliness standard for the processing of transfer requests.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendation and has agreed to\nestablish timeliness standards for transfer requests. The full text of\nmanagement\xe2\x80\x99s response is provided as Attachment 1.\n\n\nSegregation of Duties\n\nExisting controls over transfer requests are not effective to ensure proper\nsegregation of duties. Our tests of transactions disclosed three instances where\nthe funds transfer requests were prepared and certified by the same individual.\n\nKey duties and responsibilities need to be divided or segregated among different\npeople to reduce the risk of error or fraud. This should include separating\nresponsibilities for authorizing transactions, processing and recording them,\nreviewing the transactions, and handling key related assets. No one individual\nshould control all key aspects of a transaction or event. 5\n\nAgency procedure does not always address the need for separate preparers and\nreviewers as provided in other funds transfer procedures.\n\nWithout proper segregation of duties, the possibility of error or fraud exists.\n\nRecommendation:\n\nWe recommend that the Office of Programs:\n\n       9. strengthen its internal controls to ensure proper segregation of duties.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs disagrees with the auditor\xe2\x80\x99s findings that one individual\ncontrols all key aspects of a transaction and the possibility of fraud exists, but the\nOffice of Programs plans to review the current preparation and certification\npractices for funds transfers, identify practices that will provide for adequate\n\n\n5\n    \xc2\xa0Standards\xc2\xa0for\xc2\xa0Internal\xc2\xa0Control\xc2\xa0in\xc2\xa0the\xc2\xa0Federal\xc2\xa0Government,\xe2\x80\x9d\xc2\xa0GAO/AIMD\xe2\x80\x9000\xe2\x80\x9021.3.1\xc2\xa0(11/99)\xc2\xa0page\xc2\xa014.\xc2\xa0\n\n\n                                                     8\n\x0cseparation of duties, and update procedure as necessary. The full text of\nmanagement\xe2\x80\x99s response is provided as Attachment 1.\n\n\nUnauthorized Individuals Prepare and Certify Funds Transfer Requests\n\nInternal controls are not sufficient to ensure that only properly authorized\nindividuals prepare and authorize funds transfer request forms. During our\nreview, we found many transfer requests that were prepared or certified by\nindividuals not officially designated to process these transactions per Office of\nPrograms\xe2\x80\x99 procedure.\n\nTransactions and other significant events should be authorized and executed\nonly by persons acting within the scope of their authority. This is the principal\nmeans of assuring that only valid transactions to exchange, transfer, use, or\ncommit resources and other events are initiated or entered into. Authorizations\nshould be clearly communicated to managers and employees. 6\n\nWe were advised that due to the limited staff size in the Programs Support\nDivision, employees other than those designated to perform those functions are\npermitted to prepare funds transfer requests.\n\nThe potential for error increases when staff performs job functions that they are\nnot officially authorized to perform or have not received proper training. The\npotential for fraud increases when unauthorized staff is allowed to sign off on\ndocuments that can potentially provide access to or legally obligate the assets of\nthe agency. Preparation of transfer requests by preparers and certifiers other\nthan those designated in Office of Programs procedure can give the impression\nof impropriety.\n\nRecommendation:\n\nWe recommend that the Office of Programs:\n\n    10. strengthen its internal controls to ensure that only employees officially\n        designated as having authority to prepare or certify funds transfer\n        requests be allowed to perform this function.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendation and will update\nprocedures to clarify which positions are authorized to perform this function. The\nfull text of management\xe2\x80\x99s response is provided as Attachment 1.\n6\n \xc2\xa0\xe2\x80\x9cStandards\xc2\xa0for\xc2\xa0Internal\xc2\xa0Control\xc2\xa0in\xc2\xa0the\xc2\xa0Federal\xc2\xa0Government,\xe2\x80\x9d\xc2\xa0GAO/AIMD\xe2\x80\x9000\xe2\x80\x9021.3.1\xc2\xa0(11/99)\xc2\xa0pages\xc2\xa014\xc2\xa0and\xc2\xa0\n15.\xc2\xa0\n\n\n                                                  9\n\x0cCorrective Actions for Excess Medicare Premiums Payments and Medicare\nPremium Refunds\n\nThe Office of Programs found that the RRB was not being reimbursed by CMS\nfor retroactive Medicare premium adjustments for funds previously issued from\nRRA trust funds. They also found that excessive funds were transferred to CMS\ndue to overlapping Medicare premium totals being reported from two sources.\nAs a result of these issues and corrective actions taken by the RRB,\napproximately $24 million was refunded to the RRA trust fund account from the\nMedicare account.\n\nOur review determined that the internal controls over the identification and\ncorrection of the excess Medicare premium transfer amounts and Medicare\npremiums refunded to the RRB were inadequate to ensure the completeness of\nthe corrective actions taken.\n\nAlthough we were advised that an informal, undocumented review took place for\nthe financial data, we did not find evidence of a documented plan of controls,\nprocedures or approvals, a complete supervisory review and record of the review\nand approval process, or reconciliation to confirm transfer amounts. 7\n\nInternal Control and all transactions and other significant events need to be\nclearly documented and the documentation should be readily available for\nexamination. The documentation should appear in management directives,\nadministrative policies, or operation manuals and may be in paper or electronic\nform. All documentation and records should be properly managed and\nmaintained. In addition, control activities help to ensure that all transactions are\ncompletely and accurately recorded. 8\n\nExcess Medicare Premiums Payments\n\nWe found that the Office of Programs did not utilize confirmation reports of prior\ntransactions when identifying and calculating the excess Medicare premium\namounts to be transferred back to the RRB. Instead, the calculation of the\nMedicare premium amounts to be transferred back to the RRB from CMS was\nbased on transfer requests prepared by the Office of Programs, but were not\nnoted as having been reconciled to confirmed transfer amounts. As a result,\n\n7\n  \xc2\xa0In\xc2\xa0conjunction\xc2\xa0with\xc2\xa0the\xc2\xa0OIG\xe2\x80\x99s\xc2\xa0Auditor\xe2\x80\x99s\xc2\xa0Reports\xc2\xa0for\xc2\xa0the\xc2\xa0RRB\xe2\x80\x99s\xc2\xa0financial\xc2\xa0statements\xc2\xa0for\xc2\xa0fiscal\xc2\xa0years\xc2\xa0ended\xc2\xa0\nSeptember\xc2\xa030,\xc2\xa02009\xc2\xa0and\xc2\xa02008,\xc2\xa0the\xc2\xa0OIG\xc2\xa0reported\xc2\xa0a\xc2\xa0material\xc2\xa0weakness\xc2\xa0for\xc2\xa0internal\xc2\xa0controls\xc2\xa0over\xc2\xa0non\xe2\x80\x90\nintegrated\xc2\xa0sub\xe2\x80\x90systems\xc2\xa0because\xc2\xa0internal\xc2\xa0controls\xc2\xa0do\xc2\xa0not\xc2\xa0ensure\xc2\xa0the\xc2\xa0completeness\xc2\xa0of\xc2\xa0transactions\xc2\xa0\noriginating\xc2\xa0in\xc2\xa0non\xe2\x80\x90integrated\xc2\xa0sub\xe2\x80\x90systems.\xc2\xa0\xc2\xa0\xe2\x80\x9cReport\xc2\xa0on\xc2\xa0the\xc2\xa0Railroad\xc2\xa0Retirement\xc2\xa0Board\xe2\x80\x99s\xc2\xa0FY\xc2\xa02009\xc2\xa0Financial\xc2\xa0\nStatements\xe2\x80\x9d,\xc2\xa0OIG\xc2\xa0Report\xc2\xa0#10\xe2\x80\x9002,\xc2\xa0pages\xc2\xa0102\xc2\xa0and\xc2\xa0103.\xc2\xa0\xc2\xa0\n8\n  \xc2\xa0\xe2\x80\x9cStandards\xc2\xa0for\xc2\xa0Internal\xc2\xa0Control\xc2\xa0in\xc2\xa0the\xc2\xa0Federal\xc2\xa0Government,\xe2\x80\x9d\xc2\xa0GAO/AIMD\xe2\x80\x9000\xe2\x80\x9021.3.1\xc2\xa0(11/99)\xc2\xa0page\xc2\xa015.\xc2\xa0\n\n\n                                                     10\n\x0cthere is no reasonable assurance that the calculated amount of the $15.7 million\nin excessive premium payments refunded to the RRB during fiscal year 2009 is\ncomplete or accurate.\n\nMedicare Premium Refunds\n\nWe found no evidence of documented internal controls related to the process\nand procedures that the Office of Programs applied regarding the identification\nand calculation of Medicare premium refunds that were refunded back to the\nRRB. There was no evidence of a plan of controls, an audit trial of the review\nand approval process or a complete supervisory review. As a result, there is no\nreasonable assurance of the completeness of the $8.7 million in Medicare\npremium refunds reimbursed to the RRB during fiscal year 2009.\n\nRecommendations:\n\nWe recommend that the Office of Programs:\n\n   11. secure confirmation reports and test the accuracy of the calculation of the\n       amount of funds transferred back to the RRB from CMS and take any\n       necessary corrective actions, and\n   12. conduct an independent study to determine the completeness of the\n       identification and calculation of the amounts refunded from CMS.\n\nManagement\xe2\x80\x99s Response\n\nIn regard to Recommendation No. 11, the Office of Programs disagrees with the\nauditor\xe2\x80\x99s finding that the process offered \xe2\x80\x9cno reasonable assurance\xe2\x80\x9d but they do\nagree that securing confirmation reports as described in the report and\ncomparing them to the related transfer requests would have strengthened the\nprocess and they plan to complete this test next month. The full text of\nmanagement\xe2\x80\x99s response is provided as Attachment 1.\n\nThe Office of Programs disagrees with the OIG\xe2\x80\x99s finding and rejects\nRecommendation No. 12. The Office of Programs stated that they believe that\ntheir management has adequate assurance that the amount reimbursed is\ncomplete because a coordinated methodical approach was used to determine\nthe amount refunded. The Office of Programs also stated that the OIG did not\nidentify any errors related to the $24.5 million reimbursed to the RRB by CMS\nand Recommendation No. 11, which they have agreed to implement, addresses\nnearly two-thirds of that amount. The Office of Programs also stated that they\nbelieve that their approach to identify these transactions provided reasonable\nassurance that no material errors occurred during the process. Additionally, the\nOffice of Programs stated that they believe that their actions provided reasonable\n\n\n\n                                        11\n\x0cassurance in all regards and that no further action is necessary. The full text of\nmanagement\xe2\x80\x99s response is provided as Attachment 1.\n\nOIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nThe OIG did not report any errors related to the $24.5 million because we did not\naudit the calculation of this reimbursement. Our audit objective was to determine\nthe completeness of the controls used to identify and correct the Medicare\nrefunds and excessive premium payments. In their written response for this\nrecommendation, the Office of Programs states that their coordinated methodical\napproach provides assurance that the amount reimbursed is complete. We\nfound that the Office of Programs\xe2\x80\x99 methodical approach did not meet GAO\nStandard of Internal Controls in the Federal Government. There was no\nevidence of a documented plan of controls, procedures or approvals, a complete\nsupervisory review, an audit trail of the review and approval process, or\nreconciliation to confirm transfer amounts.\n\nPer the GAO Standards of Internal Controls in the Federal Government, control\nactivities occur at all levels and functions of the entity. They include a wide range\nof diverse activities such as approvals, verifications, reconciliations, performance\nreviews, maintenance of security, and the creation and maintenance of related\nrecords which provide evidence of execution of these activities as well as\nappropriate documentation. As previously stated, we stand by our position that\nwithout these documented controls, there is no reasonable assurance of the\ncompleteness for the $24.5 million reimbursement. An independent study would\nbe beneficial to determine the completeness and accuracy of the reimbursed\namount.\n\n\nDocumented Internal Controls\n\nOur audit found that management control documentation for the Transfer of\nFunds and RRA Benefit Payment assessable units does not provide agency\nmanagement with a reasonable standard of internal controls that is consistent\nwith the Government Accountability Office (GAO) Standards of Internal Control\nfor the Federal Government. This occurs because the documented objectives\nand control techniques focus more on agency operations and less on internal\ncontrols. For example, management control documentation for the Transfer of\nFunds assessable unit does not address segregation of duties, proper execution\nof transactions and events and the completeness of recording transactions.\n\nThe Management Control Review Committee is responsible for overseeing a\nprocess to identify and eliminate management control weaknesses. The\ncommittee is also responsible for ensuring the accuracy and completeness of\nreports on management controls.\n\n\n\n                                         12\n\x0cThe RRA Benefits Payment assessable unit is responsible for creating procedure\nfor the Transfer of Funds assessable unit. They are also responsible for various\nagency systems that result in reports used as the basis for different types of\ntransfer requests. One of the objectives provided in their chart of controls is to\n\xe2\x80\x9censure the accuracy of transfer of funds processes.\xe2\x80\x9d\n\nControl activities include policies, procedures and mechanisms in place to help\nensure that agency objectives are met. Several examples include: proper\nsegregation of duties (separate personnel with authority to authorize a\ntransaction, process the transaction, and review the transaction); physical\ncontrols over assets (limited access to inventories or equipment); proper\nauthorization; and appropriate documentation and access to that\ndocumentation. 9\n\nThe risk of error or fraud increases without the development and implementation\nof GAO internal control standards. Agency management could place too much\nreliance on the incorrect control objectives and the incomplete control\ntechniques. In addition, control deficiencies could go undetected if the applicable\ncontrols are not listed and tested.\n\nRecommendations:\n\nWe recommend that the Office of Programs:\n\n       13. work with the Management Control Review Committee to revise\n           management control documentation for the Transfer of Funds and the\n           RRA Benefit Payments assessable units to be consistent with GAO\n           guidance for internal controls, and\n       14. work with the Management Control Review Committee to revise the\n           objectives and control techniques to accurately depict organizational\n           responsibilities of the Transfer of Funds and RRA Benefit Payments\n           assessable units.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with the recommendations and plans to review\nand update management control documentation for these assessable units. The\nfull text of management\xe2\x80\x99s response is provided as Attachment 1.\n\n\n\n\n9\n    \xc2\xa0OMB\xc2\xa0Circular\xc2\xa0A\xe2\x80\x90123,\xc2\xa0Management\xe2\x80\x99s\xc2\xa0Responsibility\xc2\xa0for\xc2\xa0Internal\xc2\xa0Control,\xc2\xa0Section\xc2\xa0II.C,\xc2\xa0page\xc2\xa08.\xc2\xa0\n\n\n                                                       13\n\x0c                                                           ATTACHMENT 1\n                        UNITED STATES                                              FORM G-1l5f (l~2)\n                        GOVERNMENT                                 RAILROAD RETIREMENT BOARD\n\n                       MEMORANDUM\n                                                                   MAY "1 7 2010\n\nTO:                 Diana Kruel\n                  " Acting Assistant Inspector General for Audit\n\n\nFROM:              Cathertne A.   Leyse~ tl J"\'~\n                                             \xc2\xab\xc2\xad\n                   Director of Assessment and Training\n\nTHROUGH\':          Dorothy   Isherwoofl)~\n                   Director of Programs\n\n\nSUBJECT:\t          Draft Report -Internal Controls Over RRB\xc2\xb7CMS Medicare\n                   Premium- Transfers\n\nInternal Controls Over RRB\xc2\xb7CMS Medicare Premium Transfers\n\n\nOverall\t         The Office of Programs generally agrees with the Office of Inspector\nComments\t        General\'s (DIG) recommendations to strengthen controls over the current\n                 funds transfer process. We value their input to this process, which had just\n                 undergone a period of transition and change that made it more vulnerable to\n                 non-conformance and error.\n\n                 However, we disagree with the OIG\'s conclusions concerning the recent\n                 correction of past errors in the Medicare premium transfer process. The\n                 Office of Programs identified those errors through an internal review process\n                 and corrected them timely and accurately using proven methods. We believe\n                 that we were fully effective in this area.\n\n\nRecommendation   We recommend that the Office of Programs develop and implement controls\n1                to ensure the completeness of the !ransfer requests delivered to BFO.\n\n\nOffice of        We concur. We will develop and implement the recommended controls by\nPrograms         September 30, 2010.\nResponse\n\n\nRecommendation\t We recommend that the Office of Programs strengthen internal controls to\n2               ensure that funds transfer confirmations are reconciled to the transfer\n                 requests.\n\n\n\n\n                                             14\n\n\x0c                                                           ATTACHMENT 1\n\n Office of          We concur. We will strengthen controls to ensure that funds transfer\n Programs           confirmations are reconciled to the transfer requests by September 30,2010.\n Response\'\n\n\n Recommendation\t We reco)11mend that the Office of Programs strengthen internal controls to\n 3               ensure that agency procedure is followed for the preparation of the funds\n                   transfer request forms.\n\n\n Office of\t        We concur. We will strengthen controls to ensure that agency procedure is\n Programs          followed in the preparation of the funds transfer request forms by\n Response          September 30,2010.\n\n\n Recommendation    We recommend that the Office of Programs revise agency procedures to\n 4                 require that source documents be attached and maintained as supporting\n                   documentation for the funds transfer requests.\n\n\n Office of         We agree that source documents should be maintained in the Office of\n Programs          Programs as an attachment to the SF-10S1 to support certification of the\n.Response          transfer request. We will revise our procedures as necessary by\n                   September 30, 2010.\n\n\n Recommendation    We recommend that the Office of Programs strengthen the review process to\n 5                 ensure the accuracy of the preparation of the funds transfer request forms.\n\n\n Office of\t        We concur. We will strengthen the review process to better ensure the\n Programs          accuracy of funds transfer requests by September 30, 2010.\n Response\n\n\n Recommendation    We recommend that the Office of Programs lengthen the required retention\n 6                 period for essential supporting reports.\n\n\n Office of\t        We concur. We will review applicable records retention schedules and\xc2\xb7\n Programs          determine what additional action may be necessary to ensure that essential\n Response          supporting reports are retained for an appropriate period. We will make this .\n                   determinati9n by September 30, 2010.        .\n\n\n Recommendation    We recommend that the Office of Programs take corrective action for the\n 7                 noted error cases.\n\n\n. Office of       \xc2\xb7We concur. We are finalizing the correction process and expect to complete\n  Programs         action on this recommendation\n                                             .    by ~une\n                                                     ..\n                                                          30, 2010. .        .\n  Response.\n\n\n                                               15\xc2\xb7\n\x0c                                                              ATTACHMENT 1\n\n\n\n\'Recommendation    We recommend that the Office of Programs establish a timeHness standard;,\n 8                 for the processing of transfer requests.\n\n\nOffice of          We concur. We will establish timeliness standards for transfer requests by\nPrograms           September 30, 2010.         \'\nResponse\n\n\nRecommendation     We recommend that the Office of Programs strengthen its internal coritrols to\n9                  ensure proper segregation of duties.\n\n\nOffice of          Although we disagree with the auditor\'s findings that one individual controls\nPrograms           all key aspects of a transaction arid the possibility of fraud exists, we will\nResponse           review the current preparation and certification practices for funds transfers,\n                   identify practices that will provide for adequate separation of duties, and\n                   update procedure as necessary by ~eptember 30,2010.\n\n\nRecommendation     We recommend that the Office of Programs strengthen its internal controls to\n10                 ensure that only employees officially designated as having authority to\n                   prepare or certify funds transfer requests be allowed to perform this function.\n\n\nOffice of          We concur. We will update procedures to clarify which positions are\nPrograms           authorized to perform this function by September 30, 2010.\nResponse\n\n\nRecommendation     We recommend that the Office of Programs secure confirmation reports and\n11                 test the accuracy of the calculation of the amount of funds transferred back to\n                   the RRB from CMS and take any necessary corrective actions.\n\n\nOffice of          Although we disagree with auditor\'s \'finding that the process offered "no\nPrograms           reasonable assurance," we do agree that securing confirmation reports as\nResponse           described in the\'report and comparing them to the related transfer requests\n                   would have strengthened the process. We expect to complete this test by\n                   June 30, 2010.\n\n\nRecommendation      We recommend that the Office of Programs conduct an independent study to\n12                  determine the completenes~ of the identification and calculation of the\n                 , ,amounts refunded from CMS.\n\n\n\n\n                                                16\n\n\x0c                                                               ATTACHMENT 1\n\n\nOffice of        We disagree with the OIG\'s finding and reject the recommendation. We believe\nPrograms         that Office of Programs management has adequate assurance that the amount\nResponse         reimbursed is complete because a coordinated methodical approach was used\n                 to determine the amount refunded. In addition, theOIG did not identify any\n                 errors related to the $24.5 million reimbursed to theRRB by CMS and\n                 recommendation #11, which we have agreed to implement, addresses nearly\n                 two-thirds of that amount.\n\n                 In July 2009, during a routine review of operational controls, the Office of\n                 Programs observed that errors had occurred in the process for transferring\n                 Medicare premiums to the Centers for Medicare and Medicaid Services (CMS).\n                 Office of Program\'s acted immediately to identify the cause of these errors and\n                 to recover monies due to the RRB\'s trust funds. Approximately $24.5 million due\n                 tn\'e RRB was identified using a methodical and well coordinated approach during\n                 which we:\t                                           \' .\n\n                    \xe2\x80\xa2    identified the underlying cause of the fund transfer errors and the\n                         timeframes during which errors occurred,\n            /\n                    \xe2\x80\xa2    reviewed applicable technical files and other relevant documentation;\n                    \xe2\x80\xa2\t   consulted with statistical, systems, and procedural experts;\n                    \xe2\x80\xa2\t   analyzed each problem area to determine the most effective approach;\n                    \xe2\x80\xa2\t   detailed an approach to each problem area based on availability of data;\n                    \xe2\x80\xa2\t   produced results based on the planned approaches;\n                    \xe2\x80\xa2\t   obtained senior Office of Programs management approval for the request\n                         to CMS;\n                    \xe2\x80\xa2\t   briefed all levels of agency management, inclUding Board offices; and\n                    \xe2\x80\xa2\t   briefed CMS senior staff, responded to their questions and secured their\n                         concurrence.\n\n                The $24.5 million transferred to the RRB was fully supported by individual\n                transactions documented in the agency\'s recordsJ The details of these\n                transactions were shared with CMS at the time the funds were requested. We\n                believe that our approach to identifying the~e transactions provided reasonable\n                assurance that no material errors occurred during the process.\n\n                    \xe2\x80\xa2\t   The transactions supporting the $8.7 million in unreimbursed premium\n                         refunds were identified by extract from automated systems of which more\n                         than 70% required no manual intervention to determine their dollar value.\n                    \xe2\x80\xa2\t   Only a minority ($2.4 million) required additional manual efforts to\n                         determine the dollar amount which effort was closely monitored.\n                    \xe2\x80\xa2\t   The balance of $15.7 million wa~ related to only 31 readily identifiable\n                         transactions: one transaction per month during each of 31 months.\n                         Although summarized manually, the number of months impacted is not in\xc2\xb7\n                         question and OIG recommendation #11 already addresses this\n                         component of the refund\xe2\x80\xa2\n\n                .We believe that our actions provided reasonable assurance in all regards and\n\n                that no further action is necessary.\n\n\n\n\n\n                                                17\n\x0c                                                            ATTACHMENT 1\n\n\n\nRecommendation\t We recommend that the Office of Programs work with the Management\n13              Control Review\xc2\xb7 Committee to revise management control documentation for\n                the Transfer of Funds and the RRA Benefit Payment assessable units to be\n                consistent with GAO gUidance for internal controls.\n\n\nOffice of        We concur. We will review and update management control documentation\nPrograms         for these assessable units. We will work with MCRC to establish a target\nResponse\xc2\xb7        date for completion of that process by September 30, 2010.\n                                   . . \t                            \\\n\n\n\n\nRecommendation\t We recommend that the Office of Programs work with the Management\n14\t             Control Review Committee to revise the objectives and control techniques to\n                accurately depict organizational responsibilities of the Transfer of Funds and\n                the RRA Benefit Payment assessable units.\n\n\nOffice of        We concur. We will review and update management control documentation\nPrograms         for these assessable\' units. We will work with MCRC to establish a target\nResponse         date for completion of that process by September 30, 2010.\n\n\n\n\ncc:\t           Director of Policy and Systems\n               Director of Operations\n             . Chief Financial Officer\n               Management Control Review Committee\n\n\n\n\n                                              18\n\n\x0c'